Saturday, October 23, 2010

The “Not So” Perfect Keylogger

I have seen a number of cases lately in which the method of data aggregation on Point of Sale Terminals was the use of Blazing Tools Perfect Keylogger. This is a commercial tool that is used to track the computer use of individuals within a family or a company. This blog is not about the legality or ethics of this tool, but rather about the technical specifics when looking for this tool during a compromise.

Below, is a timeline excerpt from a case I was working recently in which I saw Perfecet Keylogger running natively (ie…under the default naming convention). It should be noted, that the means of infiltration in 99% of these cases in an open remote administration port and default administrative passwords. This gave the intruders an easy path onto the target systems, and the credentials necessary to install the malware.

Pay special attention if you will, to the file names besides bpk.exe, specifically the letters after the “k” in “bpk”.

As you can see, some of the key file names associated with Perfect Keylogger are: bpk.exe, bpkr.exe, bpkhk.dll, bpk.dat, and the configuration file not listed in the first timeline excerpt, pk.bin. These files are normally found in the C:\Windows\System32 directory, but can really run from any custom location, as indicated by the second timeline excerpt. When it’s seen in a RAM dump, it looks like this:

Below is a second example, in which the naming convention has been changed to confuse the would be investigator. Look at the letters after the “t” in “wuault.exe”. Do they look familiar? They should!

Notice that the path is C:\windows\security. Also of note, look at the timeline above…see the “birth” date in my timeline? It says “Fri Aug 21 2009 02:42:56”, but the first prefetch file shows a timestamp of, “Sat Aug 21 2010 02:43:06”. About 10 seconds later…exactly one year later? What’s up with that? Well…let me tell you, but first, let’s quickly go over the Master File Table ($MFT), specifically the Standard_Information ($S_I), and File_Name ($F_N) attributes.REAL basically, we all know that the $MFT holds information about the files on the disk. Well, one of those attributes, the $S_I, is accessible by the operating system (OS) and the user. So, what…that means that they can be changed, accessed, and yes…stomped. BUT, the $F_N attribute is not touched by anything except the kernel. So what does that mean? It means no modifications by the OS or the user…ie…no stomping.

So, Harlan sent me a Perl script he wrote which goes through the $MFT and extracts and parses the $S_I and $F_N attributes. So with our friend bpk.exe, it would look like this:

And…it matches our Prefetch file, which further supports our finding that the timestamps have been modified. So be wary…if you come across Perfect Keylogger in a case, it will be offset by one year – I have seen this to be true in every Perfect Keylogger case I have worked, and it seems to be done as part of the install script. Now, while I have seen the binaries and associated dlls renamed, I have not seen the dump file (bpk.dat) or the configuration file (pk.bin) renamed. After downloading a trial version of Perfect Keylogger, I can see that you can change the output file, and path, so it’s possible…but like I said…just never seen it. I’m not certain the same can be said for the configuration file. I have tried several times unsuccessfully, so I think it may be hard coded into the program.

So if you try to open the bpk.dat, and the pk.bin they appear to be encrypted. Or are they? Through the efforts of the SpiderLabs Research Team, we found that they are NOT really encrypted, but rather encoded with a single xor key, 0xAA. So, when you use a simple xor script, against either one, you may get something that looks like this (since this was from a real case, I have modified the output, but the methods and the output format looks the same):

So, this is great! You have the attacker’s email, the server he was using, his username and password! Better yet, you have the key-combo which is used to bring the Keylogger out of hidden mode. If the attacker wanted to use FTP instead of SMTP, you would see the same type of login information as you do for the SMTP example provided above. If you know that it’s running, but you don’t see the icon in the bottom of the screen, it’s in hidden mode. Simply use this key combination, and BAM, the icon will suddenly appear! Then, simply enter in the “PK Password” and you have access to the admin console of the keylogger! This configuration file will give you access to the time intervals in which the dump file is emailed or FTP’d. Pretty slick eh!

Now, it also uses the same xor to encode the dump file! So if you run the same xor script, you may see something that looks like this:

Nice! Note that if you don’t have any scripting-fu (Perl, Ruby, Python, etc) you can simply install the trial version of Perfect Keylogger in a vmimage, and use the “view the log” option to see the decoded versions of the logs.

Additionally, the only registry entries I have seen for Perfect Keylogger are in the UserAssist key of an ntuser.dat file, showing initial execution, and in the RUN key of the SOFTWARE hive, showing that it’s set to start up at reboot.

Software Hive=========Software\Microsoft\Windows\CurrentVersion\RunC:\P15xx\DisableWriteCache.exe -s all"C:\Program Files\UltraVNC\WinVNC.exe" -servicehelperC:\WINDOWS\System32\bpk.exe ← Indicates that the keylogger will start each time the system boots.

So, if you are working on a case and you expect that you may have Perfect Keylogger, here are the key indicators of compromise:

Presence of:• pk.bin, or bpk.dat (configuration or dump files)• bpk.exe, wuault.exe, wuauclt.exe (running from the incorrect directory)• binary and dlls timestopmed (check the $MFT)• Entries in the ntuser.dat and SOFTWARE hives• Active process running RAM with the same ending letters (as seen in the timeline example)

You can decode the configuration file and dump files with a simple xor, 0xAA key. Alternatively, you can use the demo version of the keylogger itself to open the dump file.

Hi there.Great info.On a compromised mac where this has been found and removed, there was a "com.BT.BPK.plist" file which can be opened with a plist editor, you can see lots of the same info and the file has all the configuration lines the same as the windows dat file it seems.Can this file be analysed to retrieve the smtp server settings etc as you have shown above?

As even though the file can be opened, although the basic settings such as email frequency can be seen - the server it was sending to and address etc are hex/md5/hashed or otherwise coded in an unreadable format.

Could you please post a very basic howto about how you opened the dat file with what script and what other things would need installing?Either on windows or linux.

Too late to help the anonymous poster from Dec 29th, but for the benefit of other people who find this on a Mac: the encrypted values in the com.BT.BPK plist file are simply xored with 0xAA and then base64-encoded. To extract them, base64-decode and xor with 0xAA.